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Abstract — The problem in which one of three pairwise inter- 
acting parties is required to securely compute a function of the 
inputs held by the other two, when one party may arbitrarily 
deviate from the computation protocol (active behavioral model), 
is studied. An information-theoretic characterization of uncondi- 
tionally secure computation protocols under the active behavioral 
model is provided. A protocol for Hamming distance computation 
is provided and shown to be unconditionally secure under both 
active and passive behavioral models using the information- 
theoretic characterization. The difference between the notions 
of security under the active and passive behavioral models is 
illustrated through the BGW protocol for computing quadratic 
and Hamming distances; this protocol is secure under the passive 
model, but is shown to be not secure under the active model. 

I. Introduction 

The subject of secure multiparty computation (SMC) is 
concerned with the design and analysis of distributed protocols 
that allow a mutually untrusting group to securely compute 
functions of their private inputs while not revealing any 
more information than must be inherently revealed by the 
computation itself. In this broad domain (see |1| for a detailed 
overview) one can consider computational or unconditional 
(information-theoretic) definitions of security, active or passive 
behavioral models, and the utilization of additional communi- 
cation primitives, e.g., shared randomness via multi-terminal 
sources and/or channels. In this paper, we study secure com- 
putation involving three parties that can communicate via 
pairwise authenticated and error-free bitpipes where one party 
is required to compute a function of the inputs held by the 
other two. Our focus is on unconditional security and an active 
behavioral model in which one party may arbitrarily deviate 
from the computation protocol. 

The scenario of three-party computation with one actively 
deviating party is interesting since no security guarantees 
are available in this scenario for the general SMC protocols 
of 0, 0. For the active behavioral model and only pairwise 
communication, the protocols of j2|, are secure only if 
strictly less than a third of the parties are compromised. Thus, 
nontrivial security guarantees are only available for a mini- 
mum of four parties. On the other hand certain computations, 
such as Byzantine agreement 0), are provably impossible 
in a three-party setting while other non-trivial computations 
are possible. A characterization of all functions that can be 
securely computed in a three-party setting with one actively 



deviating party is currently unavailable. 

The formulation of security in the active behavioral model 
requires careful consideration of the notions of correctness 
and privacy since a party may arbitrarily deviate from the 
protocol. A deviating party can always affect the integrity 
of the computation by simply changing its input data. This, 
however, should not be considered a security weakness since 
such an attack could also be mounted against a "trusted genie" 
who can receive all inputs, perform all computations, and 
deliver the results to the designated parties. A deviating party's 
ability to influence the computation or affect the privacy 
should, ideally, not exceed what could be done against such 
a trusted genie. Therefore, in the active behavioral model, a 
protocol is said to be secure if it adequately simulates a trusted 
genie that facilitates the computation. This is formalized by 
the real versus ideal model simulation paradigm for SMC 0. 
The passive behavioral model, in contrast, assumes that all 
parties will adhere to the protocol, but may attempt to infer 
additional information from the "view" available to them from 
the protocol. To assess the security of a protocol in the 
passive behavioral model, one only needs to check that the 
protocol correctly computes the function while revealing no 
more information than what can be inherently inferred from 
the result of the computation. 

In our three-party problem setup, Alice has input X, Bob 
input Y, and Charlie wants to compute the function f(X,Y). 
In Section [II] we define security based on the real versus 
ideal model simulation paradigm [5| and develop an equivalent 
information-theoretic characterization that generalizes condi- 
tions developed for two parties in [6 1. In Section III we present 



a simple arithmetic-based protocol for computing Hamming 
distance and show that it is unconditionally secure under 
both active and passive behavioral models using information- 
theoretic conditions. In Section [TV] we illustrate the difference 
between the notions of security under active and passive 
behavioral models through the BGW protocol for computing 
the quadratic and Hamming distances J2|. This protocol is 
secure under the passive behavioral model but is shown to be 
not secure under the active behavioral model. 

II. Information-Theoretic Security Conditions 

We first define security for the active behavioral model, then 
state information-theoretic conditions that are equivalent to 



it, and finally present information-theoretic conditions for the 
passive behavioral model. For convenience, our development 
is suited to the specific case where only Alice and Bob have 
inputs and Charlie computes an output. However, one could 
also generalize this development to a scenario with all parties 
contributing an input and computing an output. 

A. Real versus Ideal Model Simulation Paradigm 

A protocol IT for three-party computation is a triple of 
algorithms (A, B, C) that are intended to be executed by Alice, 
Bob, and Charlie, respectively. These algorithms may include 
instructions for processing inputs (X for Alice and Y for Bob), 
generating local randomness, performing intermediate local 
computations, sending messages to and receiving/processing 
messages from other parties, and producing local outputs. The 
outputs produced by Alice, Bob, and Charlie will be denoted 
by U, V, and W, respectively. A protocol II is the "real model" 
for three-party computation (cf. Figure [TJa)). 
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Fig. 1. A protocol is secure if any attack against it in the real model (a) can 
be equivalently mounted against the trusted genie in the ideal model (b). 



In the "ideal model" for three-party computation, there 
is an additional fourth party: a trusted genie that facilitates 
the computation (cf. Figure [TJb)). An ideal model protocol 
IT/ is a triple of algorithms (Aj,Bj,Ci) that have a very 
specific structure: Alice's algorithm Aj consists solely of 
an independent random functionality that takes as an input 
only X and outputs Uj and Xj, and can be modeled as a 
conditional distribution P Uj x T \x' Likewise, Bob's algorithm 
Bj is an independent random functionality that takes as an 
input only Y and outputs Vi and Y j, and can be modeled 
as a conditional distribution P V[ y^y The random variables 
Xj and Y i represent the inputs that Alice and Bob give to 
the trusted genie, and Ui and Vi respectively represent Alice 
and Bob's outputs. The trusted genie receives (X],Yj) from 
Alice and Bob, computes f(Xj, Yj) and sends this to Charlie. 
If either Alice or Bob refuse to send their input to the trusted 
genie or send an invalid input, e.g., inputs not belonging to 
the proper alphabets X or y, then the genie assumes a valid 
default input. Charlie's algorithm Cj is a random functionality 
that takes f(Xj, Yj) as input and produces Wr as output, and 



Definition 1 (Honest Ideal Model Protocol): The ideal 
model protocol IT/ = (Aj, Bj,Ci) is called "honest" if Uj = 
V l = 0,X Z = X,Yj =Y,Wj = f(XiJi) = f(X, Y). 

In our problem, at most one party may actively deviate 
from the protocol, and no collusions form between any parties. 
This motivates the following definition that captures the active 
behavioral model of interest. 

Definition 2 (Admissible Deviation): A protocol II = 
(A, B, C) is an admissible deviation of II = (A, B, C) if at 
most one of (A,B,C) differs from (A, B, C). 

In the real versus ideal model simulation paradigm, a real 
model protocol is considered to be secure if it can be shown 
that for every attack against the protocol - captured through 
the above notion of an admissible deviation of a protocol - 
a statistically equivalent attack can be mounted against the 
honest ideal model protocol in the ideal model. The following 
definition makes this notion precise. 

Definition 3 ( Security Against Active Behavior): A three- 
party protocol II = (A, B, C) securely computes f(X, Y) 
under the active behavioral model if, for every real model 
protocol II = (A, B, C) that is an admissible deviation of IT 
and for any distribution Px.y on inputs (X, Y) ~ Px,y, there 
exists an ideal model protocol 11/ = (Aj,Bj,Ci) that is an 
admissible deviation of the honest ideal model protocol II/, 
where the same players are honest, such that 
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where ({/, V, W) are the outputs of the protocol IT in the real 
model with inputs (X, Y) and ({//, Vj, Wr) are the outputs of 
the protocol 11/ in the ideal model with inputs (X,Y). 

Contained within the above definition of security is the 
requirement that a secure protocol must ensure that Charlie 
will correctly compute the function if none of the parties 
deviate from the protocol. This is because no deviation is 
an admissible deviation and corresponds to the honest ideal 
model protocol which results in correct computation of the 
function. Privacy requirements against a deviating party are 
also contained within this security definition since the deviat- 
ing party may include arbitrary additional information in its 
output. The above security definition precludes this additional 
output information from containing any information that could 
not be obtained by the party deviating in the ideal model. 
This definition provides perfect security, however one could 
weaken the definition with the equality of ([TJ replaced by an 
"e-closeness" requirement, as done in [7] for two parties. 

B. Security Conditions for the Active Behavioral Model 

The following theorem describes information-theoretic con- 
ditions that are equivalent to the security conditions given 
by Definition [3] These conditions provide an alternative way 
to test whether a given protocol is secure under the active 
behavioral model directly in the real model without explicit 
reference to an ideal model or a trusted genie. In contrast, 
Definition [3] needs to refer to an ideal model. 

Theorem 1: A real-model three-party protocol II = 
(A, B,C) securely computes f(X,Y) under the active be- 



havioral model if, and only if, for every real model protocol 
II = (A,B 7 C) that is an admissible deviation of II, and 
for any distribution Px,y on inputs (X, Y) the algorithms 
(A,B 7 C) respectively produce outputs (U,V,W), such that 
the following conditions are satisfied: 

• (Correctness) If II = II, then 

Pv[(U, V, W) = (0, 0, f(X, Y))] = 1. (2) 

• (Security against Alice) If (B, C) — (B, C), then 3 X : 

I(U,X;Y\X) = 0, (3) 
Pi[{V,W) = (fi,f(X,Y))] = 1. (4) 
. (Security against Bob) If [A, C) = (A,C), then 3 Y : 

I(V,Y;X\Y) = 0, (5) 
Pv[(U,W) = (<D,f(X,Y))} = 1. (6) 

• (Security against Charlie) If (A, B) — (A,B) then 

I(W;X,Y\f(X,Y)) = 0, (7) 
Pr[([/,F) = (0,0)] = 1. (8) 

Proof: In order to prove the equivalence of the 
information-theoretic conditions with respect to the ideal vs 
real model definition, we must show that the conditions are 
both necessary and sufficient. 

(Necessity) First, we show that the conditions are necessary, 
that is, if the protocol II securely computes f(X, Y) then 
the information-theoretic conditions must hold. Consider any 
real model protocol II = (A, B, C) that is an admissible 
deviation of II. Since the protocol is secure, there must 
exist an ideal model protocol 11/ = (Aj,Bj,Ci) that is 
an admissible deviation of the honest ideal model protocol 
11/ = (Ai,Bj,Ci), where the same players are honest, such 
that 

Pu.y.w\x.y = Pu i ,v i ,w i \x,y, 

where (U, V, W) are the outputs of the protocol II in the real 
model with inputs (X, Y) and (Uj, Vi, Wj) are the outputs of 
the protocol 11/ in the ideal model with inputs (X,Y). 

In the case that all of the players are honest, that is II = IT, 
then the corresponding ideal model protocol 11/ is the same 
as II/, and thus the ideal model outputs Uj and Vj are null 
and Wi = f(X, Y) with probability one. Since Pu,v,w\x.y = 
Pui,Vi,Wi\x,y, we have that 

Pv[(U,V,W) = (<&,<&, f(X,Y))] = l. 

Now we consider the case that Alice is dishonest and Bob 
and Charlie are honest. In the ideal model, we have that 

I(Uj,Xj;Y\X)=0, 

since [// and Xi are generated only from X, and also by 
the structure of the ideal model and the honesty of Bob and 
Charlie, 

Pv[W I = f{X I ,Y)] = l, 

while Vi is null. Since Pu,v,w\x,y = A/j,V7,Wj|x,y» we 
have that V is identically distributed as V/ and hence is also 



null, and we can define random variable X that is distributed 
according to 

P~X\X,Y,U,V,W : ~ P~X I \X,Y,U I ,V I ,W I ' 

such that 

I(U,X;Y\X) = 0, 

and 

Pv[W = f(X,Y)] = l. 

The argument for the case that Bob is dishonest is symmet- 
ric to the case of a dishonest Alice. This leaves the case for 
the when Charlie is dishonest. In the ideal model, Charlie's 
output satisfies 

I(Wr,X,Y\f(X,Y))=0, 

since Wj is only generated from /(X/,Y/), and that 
(Xi,Yj) = (X,Y), since Alice and Bob are honest. Also, 
since Alice and Bob are honest, their outputs U[ and Vi are 
null. Since Pu,v,w\x,y = Pui,Vi,Wi\x,y, we must also have 
that 

I(W;X,Y\f(X,Y)) = 0, 
Pv[(U,V) = (<D,<D)] = 1. 

(Sufficiency) Now, we must show that the conditions are 
sufficient, that is, if the information-theoretic conditions hold 
then the protocol is secure. Consider any real model protocol 
II = (A, B, C) that is an admissible deviation of II and 
assume that the information theoretic conditions hold. We must 
now construct an ideal model protocol 11/ = (A I} Bj,Ci) that 
is an admissible deviation of the honest ideal model protocol 
11/ = (Aj,Bi,Ci), where the same players are honest, such 
that 

Pliy,W\X.Y — Pui,Vi,Wi\X,Y, 

where (U, V, W) are the outputs of the protocol II in the real 
model with inputs (X, Y) and ([//, V/, Wj) are the outputs of 
the protocol 11/ in the ideal model with inputs (X, Y). 

In the case that all of the players are honest, the information 
theoretic conditions state that U and V are null and that W = 
f(X, Y) with probability one. The honest ideal model protocol 
also produces null outputs for Alice and Bob, that is Uj and 
Vi are null, and Charlie's output W/ = f(X, Y). Thus, we 
have that 

Pu,V,W\X,Y — Pui,Vi,Wi\X,Y- 

In the case that Alice is dishonest, we must construct 
an ideal model protocol, with an honest Bob and Charlie, 
that produce statistically equivalent outputs. Let Alice's ideal 
model algorithm Ai be defined by the conditional distribution 

Puj.T^x := Pu,x\x> 

which governs how Alice generates Ui and Xi based on only 
X. Since Bob and Charlie are honest, that is Bj = B] and 
Cj = Cj, with probability one their outputs are given by 

Vi = and Wi - f(Xi,Y). 



Considering the conditional distribution of Uj and Wj given 
X and Y, we have that 

Pui,w t \x,y = 22 p u t ,w z ,Xi\x,Y 

X 

= ^2 P Ui,Xi\X,Y P W[\X,Y,Ui,X i 
x 

= X! ,Xi \X P Wi I Y,Xi ' 
x 

since [7/ and Xj are only generated from X and W7 = 
f(Xj,Y), and hence 



1) ifw = f(x,y), 
0, otherwise. 



(9) 

Likewise, we can manipulate the conditional distribution of U 
and W given X and Y, using the conditions given by <j3j and 

P U,W\X,Y = ^2 P U,W,X\X,Y 

X 

= 5^ ^U,X\X,Y^W\X,Y,U,lC 
x 

= /J -^t/.xix-^Wir.X' 

X 

Since P^^ix = p c/,x|x b Y desi S n and p m/|f,X = 

P Wi\YX I due t0 Pj) and We naVe tnat A/,VF|X,Y = 

^Vj,W/|x,y- Since Doth V/ and Y are null, we have that 

The argument for the case that Bob is dishonest is symmet- 
ric to the case of a dishonest Alice. This leaves the case for the 
when Charlie is dishonest. Let Charlie's ideal model algorithm 
Cj be defined by the following conditional distribution that 
governs how Charlie generates Wj based on only f{Xj,Yi) 

P Wi\f(Xi,Yi) := P W\f(X,Y) = Pw\f(X,Y),X,Y, 

due to the (|8). Note that since Alice and Bob are honest, 
(Xj, Yj) = (X, Y), and f/j and Vi are null. Considering the 
conditional distribution of Wj given X, Y, 

P Wi\X,Y = ^ P W,.f(X,Y,)\X.Y 

f 

= X] P w I \f(x I Y I )XY P f(x I Yi)\XY 
f 

= 2L P Wi\f(Xi,Yj) P fiX,Y)\X,Y 
f 

= ^2Pw\f(X,Y),X,Y P f(X,Y)\X,Y 
f 

= /; P WJ(X,Y)\X,Y = P W\X,Y- 



C. Security Conditions for the Passive Behavioral Model 

In the passive behavioral model, all parties correctly follow 
the protocol, but may still attempt to learn as much new 
information as they can from the messages that they receive 
from other parties during the execution of the protocol. A 
protocol is secure against passive behavior if it produces 
correct computation results and reveals no more information 
to any party than what can be inherently inferred from their 
own input or computation result. Thus, security against passive 
behavior is a statement about the correctness and the informa- 
tion leakage properties of a protocol. We directly state the 
information-theoretic conditions for security under the passive 
behavioral model, which one can similarly derive from a real 
versus ideal model definition. 

Definition 4 ( Security Against Passive Behavior): A three- 
party protocol II = (A,B,C) securely computes f(X,Y) 
under the passive behavioral model (with no collusions) if after 
Alice, Bob, and Charlie execute the protocol, the following 
conditions are satisfied: 

. (Correctness) Pr[(f7, V, W) = (0, 0, f(X, Y))] = 1. 

• (Privacy against Alice) I(Mi;Y, f(X, Y)\X) — 0, where 
Mi denotes the "view" of Alice, consisting of all the local 
randomness generated, local computations performed, 
and messages sent and received by Alice. 

. (Privacy against Bob) I(M 2 ; X, f(X, Y)\Y) = 0, where 
M2 denotes the view of Bob. 

. (Privacy against Charlie) J(M 3 ; X,Y\f(X,Y)) = 0, 
where M3 denotes the view of Charlie. 

In general, security of a protocol under the active behavioral 
model does not necessarily imply security of a protocol under 
the passive behavioral model |8|. This may seem counterintu- 
itive at first since possible attacks by active parties are surely 
expected to subsume the possible "passive attacks". This can 
be resolved by observing that the definition of security under 
the active behavioral model compares admissible deviations 
(active attacks) in the real model to possible active attacks in 
the ideal model. This comparison to a benchmark involving 
active attacks in the ideal model potentially results in more 
permissive privacy conditions than the information leakage 
conditions required in the passive behavioral model. To illus- 
trate this difference, consider the following two-party example 
(from [8]): Alice and Bob each have a bit and Bob wishes to 
compute the Boolean AND of the bits, while Alice computes 
nothing. A protocol where Alice simply gives Bob her bit and 
he computes his desired function is clearly insecure under the 
passive behavioral model since Alice directly reveals her bit, 
whereas the AND function should only reveal her bit if Bob's 
bit is one. However, this protocol would be secure in the active 
behavioral model since a deviating Bob could change his input 
to one to always reveal the value of Alice's bit from the trusted 
genie in the ideal model. 

III. A Secure Protocol for Hamming Distance 



Thus since Pw\x.y = P\Vi\x.y an d both (U, V) and (t/j, Vj) 
are null, we have that Pu,v,w\x,y = Pui,Vi,Wi\x,y- ■ 



We now present and analyze a simple finite-field arithmetic- 
based protocol HamDist that securely computes the Hamming 



distance for finite-field sequences under both passive and 
active behavioral models. The security of this protocol will be 
proved using the information-theoretic conditions for security 
under (i) the active behavioral model (Theorem [T} and (ii) the 
passive behavioral model (Definition HI. We assume that Alice 
and Bob have finite-field sequences X := X n and Y := Y n , 
respectively, with X n ,Y n 6 F™ k , where F p k is the finite- 
field of prime-power order p k . Charlie wishes to compute the 
Hamming distance f{X n ,Y n ) := £Li l {Xz} (Y). 
Protocol HamDist proceeds as follows: 

1) Alice randomly chooses two independent sequences 
R n , Z n 6 F™ k , where R n is uniform over all sequences 
and Z n is uniform over (T p k \ {0})™. Alice also ran- 
domly chooses a permutation n of {1, ... , n}, uniformly 
and independently of (X n , Y n ,R n ,Z n ). 

2) Alice sends R n , Z n and tt to Bob. 

3) Alice sends A n := ir(Z n <S>(X n eR n )) to Charlie, where 
G and respectively denote element-wise field sub- 
traction and multiplication, and tt(-) denotes sequence 
permutation via tt. 

4) Bob sends B n := ix{Z n (R n © Y n )) to Charlie. 

5) Charlie combines the messages from Alice and Bob, via 
element-wise field addition, and outputs the Hamming 
weight of the sequence (A n © B n ). 

During the execution of the protocol, if any party fails to 
send a message or sends an invalid message to another party, a 
valid default message is assumed by the receiving party. Also, 
any extraneous messages are simply ignored. For example, in 
step two, Bob expects to receive two sequences and a per- 
mutation from Alice. If Alice omits or sends invalid messages 
(e.g., R n or Z n are not finite-field sequences of the appropriate 
length, Z n contains a zero, tt is not a valid permutation), Bob 
would interpret an invalid or missing sequence as, for instance, 
an all-one sequence, and an invalid or missing permutation as 
the identity permutation. The specific default message assumed 
in the case of invalid or missing messages is unimportant and 
could be replaced by any other valid fixed message. 

Before we prove that the HamDist protocol is secure in the 
active behavioral model, we first establish two lemmas that 
will be used in the proof. 

Lemma 1: For random variables A, B, X,Y, the Markov 
chain A — B — (X, Y) holds if and only if the Markov chains 
A-B — X and A — (B, X) — Y (or by symmetry A — B — Y 
and A - (B, Y) - X) both hold. 

Proof: The lemma follows from following identity 

I(A; X, Y\B) = I(A; X\B) + I(A; Y\B, X), 

since the conditional mutual information on the left hand side 
is equal to zero if and only if the Markov chain A— B — (X, Y) 
holds, and the conditional mutual informations on the right 
hand side are equal to zero if and only if the Markov chains 
A-B — X and A — (B, X) — Y both hold. ■ 

Lemma 2: If the random variables A,B,X,Y satisfy the 
Markov chains A-B-X and A-(B, X)-Y, then A-B-Y 
also forms a Markov chain. 



Proof: The given Markov chains imply, by Lemma [T] that 
A — B — (X, Y) forms a Markov chain, which also implies, 
by symmetry, that A — B — Y forms a Markov chain. ■ 

Theorem 2: Protocol HamDist is secure under the active 
behavioral model. 

Proof: (Correctness) When all parties follow the protocol, 
Charlie computes A n © B n = ir(Z n (X n © Y n )) which has 
Hamming weight equal to the Hamming distance between X n 
and Y n , since, for each i, Zi(Xi — Yi) will be non-zero if and 
only Xi =Yi. Hence, 

Pr[W = f(X n ,Y n )] = 1. 

Also, Alice and Bob produce null outputs as specified by the 
protocol. 

Since any invalid or missing messages are interpreted by 
the receiver as some default message, we can assume, without 
loss of generality, that the arbitrarily modified algorithms send 
well-formed messages belonging to the prescribed message 
alphabets. 

(Security against Alice) Let R £ T™ k denote the sequence 
(corresponding to R n ), z" G (J- p k \ {0})™ denote the 
sequence (corresponding to Z n ), and tt £ V({l,...,n}) 
denote the permutation that Alice sends to Bob. Let A € F™ k 

denote the sequence that Alice sends to Charlie. Let X™ = 
R © (if -1 (A ) Z ), where lf~ l (-) denotes the inverse 
application of the permutation tt, and denotes element-wise 
field division. 

Since Alice does not receive any messages, R , Z , A , 
tt, and U can only be generated from X n and since X is 
a function of R , Z , A , and W, we have that Y n — X n — 
(R ,Z ,A ,W,U) — (X ,U) forms a Markov chain, hence 

i(u,x n ;Y n \x n ) = o. 

Since Bob and Charlie are following the protocol, the 
messages from Alice and Bob's input Y n are ultimately 
combined by Charlie to form the vector 

A n © B n = n(Z n (X n © if)) © Tf(Z n (if © Y n )) 

= Tf(z n ©pr en) 

from which he computes the Hamming weight to produce the 
output W = f(X ,Y n ). Bob, following the protocol, does 
not produce an output, hence V is null. 

(Security against Bob) Bob receives the random sequences 
(R n ,Z n ) and random permutation tt from Alice. Let B E 
T^ k denote the sequence that Bob sends to Charlie. Let Y = 
R n e(TT- 1 (B n )(Z)Z n ). 

The message B can only be generated from R n , Z n , tt, 
and Y n , thus if - (R n , Z n ,n, Y n ) - X n forms a Markov 
chain. Since (R n ,Z n ,Tr) is independent of (X n ,Y n ), we 
have that (R n , Z"\tt) - Y n - X n trivially forms a Markov 
chain. These two Markov chains imply that (B ji?", Z n Tr) — 
Y n — X n forms a Markov chain by Lemma 111 Since Y 
is a function of (B ,R n ,Z n ,Tr) and V can only be gen- 
erated from Y n , R n , Z n , tt, B , and Y ' , we have that 



(V,Y )-{B , R n , Z n , tt, Y n ) - Y n - X" forms a Markov 
chain, hence 

I(V,Y n ;X n \Y n ) = 0. 

Since Alice and Charlie are following the protocol, the mes- 
sage from Bob and Alice's input X™ are ultimately combined 
by Charlie to form the vector 

A n © B n = n(Z n <g> (X" © R n )) © 7r(Z n © (iT 9 F")) 
= ^(X"©(X"©F™)) 

from which he computes the Hamming weight to produce the 
output W = f(X n ,Y ). Alice, following the protocol, does 
not produce an output, hence U is null. 

(Security against Charlie) Charlie receives A n from Alice 
and B n from Bob. Charlie's output W can only be generated 
from A n and B n thus W - (A n ,B n ) - {X n ,Y n ) forms a 
Markov chain. Since f(X n , Y n ) is a function of A n and B n , 
we have that 



(X n , Y n ) - (A n , B n , f(X n ,Y n ))-W 
also forms a Markov chain. Further, the Markov chain 

(X n ,Y n ) - f(X n , Y n ) - (A n , B n ) 
holds due to the following, 

I(A n , B n ;X n , Y n \f(X n ,Y n j) 

( = 5 I(B r \ A n © B n ; X n ,Y n \f(X n ,Y n j) 
= H(X n ,Y n \f(X n ,Y n )) 

-H{X n ,Y n \B n ,A n © B n , f(X n , Y n )) 

H(X n ,Y n \f(X n ,Y n )) 
-H{X n ,Y n \A n © B n , f(X n ,Y n )) 
I(A n © B n ; X n , Y n \f(X n , Y n )) 

0. 



(10) 



(11) 



(6) 



where (a) holds since A n is a function of (_B™, A n ffi_B n ) and 
(A"©_B™) is a function of (A™, B"), (b) is due to the indepen- 
dence and uniformity of R n , and (c) holds since f(X n , Y n ) is 
a sufficient statistic for A n © B" = ir(Z n © (X" © Y n )). The 
multiplication of each (Xj — 1^) with results in a uniformly 
random value in (J- p k \ {0}) that is independent from (Xi,YA 
when Xj ^ Y,. Thus, the sequence Z n © (X™ © F n ) would 
only reveal where X, and Yi are not equal, and the randomly 
permuted sequence Tr(Z n © (X™ © 7")) would only reveal 
the number of locations where they are not equal, which is no 
more than what would be revealed by the Hamming distance 
f(X n ,Y n ). By Lemma [2] and the Markov chains in ([To]) 
and <[]]}, we have that (X n ,Y n ) - f(X n ,Y n ) - W forms 
a Markov chain, and hence 

I(W;X n ,Y n \f(X n ,Y n )) = 0. 

Also, since Alice and Bob follow the protocol, their outputs, 
U and V, are null. ■ 

As previously discussed, security of a protocol under the 
active behavioral model does not necessarily imply security 



of a protocol under the passive behavioral model |8J. We, 
however, have the following result. 

Theorem 3: Protocol HamDist is secure under the passive 
behavioral model. 

Proof: (Correctness) The protocol is correct according to 
the same argument as for the active behavioral model. 

(Privacy against Alice) The protocol is private against Alice 
since she does not even receive any messages and hence no 
information from other parties. Formally, 

I(M 1 ;Y n J(X n ,Y n )\X n ) 

= I(tt, R n , Z n , Tr(Z n © (X™ © R n ));Y n , f{X n ,Y n )\X n ) 
= I(n,R r \Z n ;Y n J(X n ,Y n )\X n ) =0, 

since ir(Z n © (X™ © R n )) is a function of (tt, R n , Z n , X"), 
and (tt, R n , Z n ) are independent of X" and Y n . 

(Privacy against Bob) The protocol is private against Bob 
since the only message from Alice that he receives are 
independent of X™, Y n , W . Formally, 

I(M 2 ;X n ,f(X n ,Y n )\Y n ) 

= /(tt, R n , Z n , Ti(Z n © (R n © F")); X", f(X n ,Y n )\Y n ) 
= I(Tr,R r \Z n ;X n J(X n ,Y n )\Y n )=0, 

since ir(Z n © (R n © Y n )) is a function of (tt, R n , Z n ,Y n ), 
and (tt, R n , Z n ) are independent of X" and Y n . 

(Privacy against Charlie) The protocol is private against 
Charlie since the messages that he receives from Alice and Bob 
are only sufficient to reveal 7r(Z n ©(X™©y n )), which reveals 
no more information about X" and Y n than the Hamming 
distance. Formally, 

I(M 3 ;X n ,Y n \f(X n ,Y n )) 

= I(A n , B n ;X n ,Y n \f{X n ,Y n j) = 0, 

due to ([TT}. ■ 

IV. Inadequacy of BGW for Quadratic Distance 

Under the passive behavioral model (with no collusions), 
any function can be securely computed amongst three parties 
using the secure computation methods of [2] that are based 
on homomorphic polynomial secret sharing [9] and is called 
the BGW protocol. Since we are dealing with three parties, 
the techniques proposed in [2| for active adversaries, which 
require a minimum of four parties, are not applicable. We 
describe the BGW protocol for three-party quadratic and Ham- 
ming distance computation and show that it is insecure under 
the active behavioral model. The question as to whether there 
exist protocols that securely compute the quadratic distance 
under the active behavioral model remains open. 

We assume that Alice and Bob respectively have integer 
sequences X™, Y n <E Z r s \ where Z s := {0, 1, . . . , s - 1}. We 
embed the set Z s in a finite-field Zjy of prime order N > n(s— 
l) 2 with modulo-X field arithmetic. This ensures that Zjy is 
large enough to simulate the necessary integer arithmetic for 
computing the quadratic distance f(X n ,Y n ) = J27=ii-^i ~ 
Yi) 2 while avoiding overflow (modulo) effects. Protocol BGW 
for computing the quadratic distance proceeds as follows: 



1) Alice randomly chooses ai,...,a n ~ iid Unif(Zjv) 
independently of (X n ,Y n ). For each i G {l,...,n}, 
Alice creates a polynomial pi : Zjv — > Z^, via Pi(j) := 
Q!ij + Xi. Alice sends Bob (party j — 2) the values 
(pi(2), . . . ,p n (2j), and Charlie (party j = 3) the values 
(Pi(3), ■ ■ ■ ,p n (3)), while retaining (pi(l), . . . ,p n (l)) 
for herself (party j = 1). 

2) Similarly, Bob randomly chooses f3i,...,f3 n ~ 
iid Unif(Zjv) independently of (A r ™,l rn ), and creates 
polynomials := + Yi- Bob sends Alice 
the values (<?i(l), . . . , q n (l)), and Charlie the values 
(<7i(3), . . . , g„(3)), while retaining (qi(2), g n (2)). 

3) Alice, Bob, and Charlie each individually compute sam- 
ples of the polynomial r : Z^ — !• Zjv defined by r(j) := 
EILi [PiU) + qfU) ~ IPitiMi)]- Specifically, Afice 
computes r(l) using {pi(l), gj(l)}JL 1 , Likewise, Bob 
and Charlie compute r(2) and r(3), respectively. 

4) Alice and Bob send r(l) and r(2), respectively, to 
Charlie. 

5) Charlie reconstructs the degree-2 polynomial r via inter- 
polation from r(l), r(2), and r(3). Finally, he obtains: 

n 

r(0) = £ [Pi (°) + ^(°) - 2R(0)gi(0)] 

i=l 
n 

= x: W + - ^1 = f(x n , Y n ). 

Since quadratic distance coincides with Hamming distance 
for binary sequences (s = 2), the above protocol can also be 
used to compute the Hamming distance for binary sequences. 

Proposition 1: For quadratic and Hamming distance com- 
putation, the BGW protocol is secure under the passive 
behavioral model, but not under the active behavioral model. 

Proof: The security of this protocol under the passive 
behavioral model is well-known (see ifTUl for a rigorous 
proof) and one can confirm that it satisfies the conditions of 
Definition [4] To show insecurity under the active behavioral 
model, it is sufficient to describe an attack that is able 
to influence the computation beyond what can be achieved 
against a trusted genie. For this, we demonstrate examples for 
both the quadratic and Hamming distance below. 
Quadratic Distance (s > 2): The range TZ(f ) of the quadratic 
distance, is a proper subset of Z„( s _ 1 )2 since each function 
value is a sum of n numbers from the set {x 2 : x £ Z s }. 
The finite-field Zjv must have prime size TV > n(s — l) 2 in 
order to simulate integer arithmetic as finite-field arithmetic. 
Hence, TZ(f) C Z N , whereas Zm \ 11(f) contains invalid 
outputs for the function computation. In the ideal model, for 
any attack by Alice (or symmetrically by Bob), the output 
of Charlie would still remain in 1Z(f), since Alice can only 
affect it by changing her input. However, in the real model, 
Alice can launch a simple attack, where she randomly chooses 
the final message r(l) sent to Charlie independently and 
uniformly over Zjy. This causes Charlie's output to uniformly 
take values over Zjy, including invalid values, due to the 
polynomial interpolation in computing his output. For fixed 



r(2) and r(3), each modified value of r(l) corresponds to a 
unique interpolation result, since 3 samples uniquely determine 
a degree-2 polynomial. Due to this one-to-one relationship, a 
uniform distribution onr(l) induces a uniform distribution on 
the computation result. Thus, the protocol is insecure as there 
exists an attack in the real model (against the protocol) that 
cannot be equivalently mounted in the ideal model. In addition 
to creating the possibility of an invalid output, the attack also 
makes the distribution of valid outputs uniform, which cannot 
occur in an attack against a trusted genie. 
Hamming Distance (s = 2): Suppose that Alice and Bob 
have independent sequences of iid Bernoulli (1/2) bits. In the 
ideal model, for any attack by Alice (or symmetrically by 
Bob), the exclusive-OR of her string and Bob's is an iid 
Bernoulli(l/2) sequence since his string is iid Bernoulli (1/2) 
and independent of Alice's modified input. This means that 
for any attack by Alice against a trusted genie, Charlie's 
output is always distributed over {0,1, ... ,n} as a binomial 
distribution with mean n/2. For the protocol in the real model, 
if N = n+1 is prime, then Z^ can be used without containing 
any invalid outputs. However, Alice could launch a simple 
attack by randomly choosing the final message r(l) sent to 
Charlie uniformly over Z^r, causing Charlie's output to be 
uniformly distributed over {0, 1, ... , n). Thus, the protocol is 
insecure since there exists an attack in the real model that 
influences the output in a manner that cannot be replicated by 
an attack against a trusted genie. ■ 
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